Censys in the News: ESXiArgs Ransomware Coverage

 

The Censys research team has been closely monitoring the spread of ESXiArgs ransomware since it was first detected in early February. The team has used Censys internet scanning data to track infected hosts across countries, to monitor how the hacker group has since responded, and to develop a dashboard with Censys data that researchers can use to track the ransomware.

As ESXiArgs ransomware activity unfolded, the story and our team’s work on it gained press pickup across 20+ industry publications and counting. You can check out a roundup of top articles below.

ESXiArgs ransomware: A timeline of events

First, let’s revisit what’s happened since the discovery of the ESXiArgs ransomware.

1.A ransomware campaign targeting VMWare ESXi servers began in early February. Infections peaked on Feb. 3, at which time Censys observed 3,551 infected hosts.

2. Interestingly, the campaign presented ransom notes to the internet, making them visible to Censys’ passive scanners. We could also see that bitcoin wallet addresses were posted on the ransom pages, which allowed us to track payments.

3. We observed that France, the U.S., Germany, Canada, and other countries have seen attacks, with many occurring in France.

4. CISA then released a decryption tool; however, the hacker group responded by removing BTC addresses and encrypting additional data, making the existing decryption tools ineffective.

5. On February 11, the Censys team observed a burst of newly infected hosts, and discovered two hosts with very similar ransom notes dating back to mid-October 2022, just after ESXi versions 6.5 and 6.7 reached end of life.

6. The Censys team created a dashboard (using Censys data that’s updated every 24 hours) for researchers to track the spread of the campaign.

Find a full breakdown of our research team’s work in this Evolution of ESXiArgs Ransomware Censys blog post. 

Press coverage

Bleeping Computer – Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide

In this February 3 article, released on the day Censys observed peak ESXiArgs ransomware infections, Bleeping Computer reported on the active targeting of ESXi VMware servers. In updates to the article made on February 6, Bleeping Computer cites new data from Censys about infected servers: “…numbers quickly grew over the weekend, with 2,400 VMware ESXi devices worldwide currently detected as compromised in the ransomware campaign, according to a Censys search.”

Cyberscoop – Global ransomware spree infects unpatched VMWare servers. CISA has a (possible) fix. 

Cyberscoop recounts how France’s CERT-FR first picked up ESXiArgs ransomware using Censys internet scan data and provides detail on how those impacted can use CISA’s ransomware recovery script on GitHub.

Reuters – No evidence global ransomware hack was by state entity, Italy says 

Reuters cites data from Censys showing thousands of servers around the world affected by ESXiArgs ransomware, with the majority located in France, the U.S., and Germany. Reuters reports that Italy’s National Cybersecurity Agency does not believe that “a state or hostile state-like entity” is responsible, despite the global nature of the attack.

The Hacker News – ESXiArgs Ransomware Hits Over 500 New Targets in European Countries 

On February 16, The Hacker News reported Censys’ finding that new targets in Europe had been hit by ESXiArgs ransomware. The article states that “The findings come from attack surface management firm Censys, which discovered ‘two hosts with strikingly similar ransom notes dating back to mid-October 2022, just after ESXi versions 6.5 and 6.7 reached end of life.’” The Hacker News also includes statements from Censys Senior Security Researchers Mark Ellzey and Emily Austin.

TechTalk – Thousands of victims apparently hit by ESXiArgs ransomware

TechTalk spoke with Censys Senior Security Researcher Emily Austin about the wave of hosts infected by a new variant of the ESXiArgs ransomware. “’[Threat actors] likely followed updates from the security community and realized that researchers were tracking their payments, and may have even known before they released the ransomware that the encryption process in the original variant was relatively easy to circumvent,’ Austin said.”

Equinix – LinkedIn Coverage from Head of Equinix Threat Analysis Center, Sean O’Conner

The Censys research team’s work on ESXiArgs ransomware caught the attention of Head of Equinix Threat Analysis Center Sean O’Conner. Sean shared out the Censys team’s interactive dashboard and noted the batch of newly-infected servers that had been picked up by Censys scanning.

Continue Reading 

Additional ESXiArgs ransomware press coverage includes:

• BankInfo Security – Ransomware campaigns compromise more VMware ESXi hosts
• CISO Series – Cyber Security Headlines: Reddit admits breach, Clop exploits GoAnywhere, CISA’s VMWare fix
• CRN – VMware: Ransomware Attacks Show Virtual Infrastructure Is A ‘High-Value Target’
• Cybersecurity Dive – Unsophisticated ransomware campaign targeting VMware ripe for copycats
• HelpNet Security – CISA releases ESXiArgs ransomware recovery script
• ISMG – Ransomware: ESXiArgs Campaign Snares at Least 2,803 Victims
• ITPro UK – ESXi ransomware campaign strikes Florida Supreme Court, worldwide universities
• ITWorld Canada – A fake Emisoft code-signing certificate found, increasing VMware ransomware detected  
• SC Media – CISA releases ESXiArgs-recovery tool for VMware ransomware victims
• SecurityWeek – ESXiArgs Ransomware Hits Over 3,800 Servers as Hackers Continue Improving Malware
• Security Week – Surge in ESXiArgs Ransomware Attacks as Questions Linger Over Exploited Vulnerability
• TechRepublic –  Massive ransomware operation targets VMware ESXi: How to protect from this security threat
• TechMonitor – ESXiArgs ransomware gang releases new malware to fight CISA workaround
• The Record by Recorded Future – More than 18,500 ESXi servers still vulnerable to VMware bug behind initial ransomware spree